I have a SPS in the DMZ. This SPS is forwarding all requests to another SPS in the internal network. The second SPS has a agent and displays a fcc for users to be able to authenticate to access a protected resource that's on another application server. So in effect, I have two reverse proxies.
My issue is that when the second agent pops up the login page, the target is the hostname of the second SPS. I need it to assume the hostname of the first proxy. I set enableproxypreservehost=yes on the virtual host of the second proxy. But this doesn't help. When I set enableproxypreservehost=yes on the first SPS, it throws a virtual host not properly configured error.
How would I go about this?
For checking more on enableproxypreservehost, please visit below link:
Preserve HOST Header Issue
In your case, could you please share the proxyrules configured in both the SPS servers?
ENABLEPROXYPRESERVEHOST maintains the value of HTTP_HOST Header that is send from a SPS to backend Server.
When enabled on SPS (Yes), HTTP_HOST Header value is FQDN accessed on Browser.
When disabled on SPS (No), HTTP_HOST Header value is FQDN of backend server set in proxyrules.xml.
If your case.... ENABLEPROXYPRESERVEHOST maintains the HTTP_HOST Header that is send from a SPS (e.g. first SPS Server) to backend Server (e.g. Second SPS Server). Which means HTTP_HOST Header would be value of FQDN accessed on browser.
NOTE : There is another two setting EnableRedirectRewrite and redirectrewritablehostnames. This also plays a major role in request flow, because it is 302 redirect to liogin page. Basically we need to analyse your request flows from Browser --> First SPS --> Second SPS and also Response from Second SPS --> First SPS --> Browser.
I would suggest set enableproxypreservehost=no in the Second SPS Server. Set enableproxypreservehost=yes only on first SPS Server. Now restart the SPS. Run the journey and check in WebAgentTrace logs of Second SPS what is the HTTP_HOST header value.
The first step is to investigate, the TARGET because that is the first URL that you are accessing on the browser. When it passes through SPS-1 and SPS-2 what does SPS-2 WebAgentTrace see. You can also run a wireshark on SPS-2 to see traffic from SPS-1 and the HTTP_HOST Header value being sent from SPS-1. The HTTP_HOST Header value should always be FQDN accessed from the browser.
The second step is login page redirect and the TARGET query parameter. FQDN of the Login page and FQDN within TARGET in query parameter.
One question I do have is does SPS-2 also proxy to backend server for the actual TARGET. If Yes, then enableproxypreservehost=(yes/no) also comes into play for SPS-2.